Wearable medical technology startup Ultrahuman announced that hackers gained unauthorized access to customer health data after stealing employee credentials through malware.
The India-based startup notified affected customers about the incident via email on Wednesday, saying the breach occurred on March 27 and involved systems used for internal analysis. The company said it immediately detected the intrusion, took the affected systems offline, and revoked all access.
Founded in 2019, Ultrahuman sells smart rings and metabolic health tracking devices that allow users to monitor metrics such as sleep, activity, and recovery. The startup is best known for the Ring Air, which competes with the Oura Ring, and recently announced the Ring Pro with upgraded sensors and battery life.
Ultrahuman confirmed the incident and told TechCrunch that the attackers gained access using credentials stolen from an employee's malware-infected laptop, resulting in health data belonging to about 0.1% of users being accessed.
At least 700 customers had access to their health data, based on the company's previously reported number of approximately 700,000 monthly active users. Ultrahuman did not dispute this figure, but declined to disclose the exact number of customers affected. The company said no passwords, payment information, production systems or Ultrahuman Ring devices were compromised.
“Our security alert system detected the incident within hours and quickly resolved the vulnerability,” Ultrahuman CEO Mohit Kumar said in a statement to TechCrunch.
Kumar added that the startup had notified regulators and there was a delay in notifying affected users while the company audited the full scope of the incident to determine what data was affected.
Ultrahuman declined to provide details on whether it had received any communications from the hacker responsible for the incident, nor did it say what exactly constituted “health data.” The breach highlighted how health tracker startups like Ultrahuman and Oura store users' data on their servers, making customer health data accessible not only to employees but also to governments and malicious hackers.
The company said in an FAQ published on its website that the attackers gained “read-only” access to the affected systems. However, the company did not say whether the investigation determined whether customer data had been compromised.
Ultrahuman counts Nexus Venture Partners, Steadview Capital, and Blume Ventures among its investors. The startup has raised about $103 million to date, according to Tracxn.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.